Operating system: Debian 11 Kernel: Linux 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64 GNU/Linux Installation method / source:Builded from source
Name: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS
OID: 1.3.6.1.4.1.25623.1.0.108031
For some reason, the above mentioned VT is not reporting any vulnerabilities anymore, when 3DES/DES ciphers is used.
An example is that the SSL/TLS: Report Supported Cipher Suites reports the following ciphers on SSLv3:
I would have expected the SSL/TLS: Report Vulnerable Cipher Suites for HTTPS VT to be triggered as vulnerable, because of the highlighted ciphers (and quite a few others).
The example is the output from a scan of https://zero.webappsecurity.com/ which is very vulnerable.
Am I misunderstanding something or shouldānt the mentioned VT have triggered?
Hello @FairFight,
Did you check that the target is found alive? This can be find in the logs.
My first run I found 0 results, but I found that the host is doesnāt respond the ping (default alive test method).
After setting the target with āconsider aliveā, I was able to get results.
Although, while I was testing this issue, I found another issue which can be related. I prepared a patch for it. May be this helps
If you wanto/can, please try it and let me know if it works. At least, you will get some more results.
Ok, I tested this again, but I build the scanner with -DCMAKE_BUILD_TYPE="Release" flag. Without the patch I have no alert result in the report. But with the patch I get the result again.